Date: Thu, 4 Aug 2016 01:02:41 -0400 (EDT) From: cve-assign@...re.org To: zhangkaixiang@....cn Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: cve request: docker swarmkit Dos occurs by repeatly joining and quitting swam cluster as a node -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > I found a vulnerability in docker of the latest version which could > cause a Denial of Service, it results in a machine could not join the > swarm cluster after another node's repeatedly joining and quitting the > swarm for many times (taking my testing as example, it should need at > least one thousand times). Moreover, the docker debugging info > indicates the Dispatcher is stopped and ca server may exited > sometimes. > > Login machine A1 and join the swarm ,and then quitted the swarm. > > Login machine A2, repeatedly join and quit the swarm for 1000 times. > > After finishing that, Login machine A1 again and attempt to join the swarm, it failed. > > Error response from daemon: Timeout was reached before node was > joined. Attempt to join the cluster will continue in the background. > Use "docker info" command to see the current swarm status of your > node. > > level=error > msg="failed to remove node" > > level=error > msg="session failed" > error="rpc error: ... context canceled" > > level=debug > msg="heartbeat expiration" > > level=error > msg="failed deregistering node after heartbeat expiration" > error="... dispatcher is stopped" Use CVE-2016-6595. - -- CVE Assignment Team M/S M300, 202 Burlington Road, Bedford, MA 01730 USA [ A PGP key is available for encrypted communications at http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAEBCAAGBQJXossBAAoJEHb/MwWLVhi2FJ8QALlp1bYssp66abNelRpjiQXl ylHYSBTYhSMIpguerzlQv88l+O13uLfLtsC/fHPqb9+/cDG1icNHIjKuussr4HeQ hy3DRSn0D+63XXXHjRG5hvpBP3Sf8irAz3lnwaEHj01hlILsAbAV0CuTP2+lBz3X QtIojkBnHUUz/glGCT8VMavS85MakRwM7CV2upLJZptHaOiQlR8pa06FOBCBzWjJ TsxdIFgnlEWomN0Lsf+IKD5uc6n+kmZzmyBNR9hHDCkTNJLRgMEvqVmK1nqVgQPS jzvdrZSKF+BxQfPmONgrvSfQpSlEbJ4GFTYN0qeHqpt8SRJLJ0Uuy1ukzd+j6S8G oTuA1fAJsZFwsku40usqv3lbeBGWMmxj4ORKNXZkqUZLOVwXN+p6xbDDC8Qm/p/O EEF124dGsxSvlcoAGpOqjAHkzB+vrCBsi0kMlsPTb6zKRZSX7ql9jaG6riFJ4H0E nKooj0RQRZGo2V1Z1NQDc4dMQtQ4HrRHKpDKp5snMdafbwR2DxAD2Kh862JYo2Pp 3kmaQ/4X4oq3BFy9zwsAV3PZvBZJjerlk2MLxPktaQNSqKduriG9z9DxhPraQWaP kzml/+CylX7EEkV0hm+AZjt1+CMfxHAUQkvvRxi0NyhGLjqfIURI17CesCVNTYOS ww56x94Z2M9fplQcqRQK =Wgqx -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ